Headline

CVE-2014-6195: IT04249: DP DOMINO PLUGIN CAN STILL BE USED BY THE BA JAVA GUI AND WEB GUI EVEN AFTER AUTHENTICATION FAILS WITH THE GUI

The (1) Java GUI and (2) Web GUI components in the IBM Tivoli Storage Manager (TSM) Backup-Archive client 5.4 and 5.5 before 5.5.4.4 on AIX, Linux, and Solaris; 5.4.x and 5.5.x on Windows and z/OS; 6.1 before 6.1.5.7 on z/OS; 6.1 and 6.2 before 6.2.5.2 on Windows, before 6.2.5.3 on AIX and Linux x86, and before 6.2.5.4 on Linux Z and Solaris; 6.3 before 6.3.2.1 on AIX, before 6.3.2.2 on Windows, and before 6.3.2.3 on Linux; 6.4 before 6.4.2.1; and 7.1 before 7.1.1 in IBM TSM for Mail, when the Data Protection for Lotus Domino component is used, allow local users to bypass authentication and restore a Domino database or transaction-log backup via unspecified vectors.

9 years ago

CVE

Open in Source

#web #mac #windows #linux #java #auth #ibm

APAR status

Closed as program error.

Error description

When using the Tivoli Storage Manager for Mail: Data Protection for Domino plugin to the Tivoli Storage Manager Client’s Java GUI or Web GUI interfaces, use of those interfaces is possible even after a failed authentication attempt. Versions Affected: 5.4, 5.5, 6.1, 6.3, and 7.1

Local fix

Configure web access, and access to the local machine, in such a manner that only trusted users are allowed to access the TSM Backup-Archive Client Java GUI and Web GUI interfaces.

Problem summary

**************************************************************** * USERS AFFECTED: * * All Tivoli Storage Manager for Mail: Data Protection for * * Domino 5.4, 5.5, 6.3, 6.4, and 7.1 * **************************************************************** * PROBLEM DESCRIPTION: * * See error description and security bulletin tech note * * located here: * * http://www.ibm.com/support/docview.wss?uid=swg21695183 * ****************************************************************

Problem conclusion

The Tivoli Storage Manager Client software has been updated to prohibit usage of the Java GUI or Web GUI interface to Data Protection for Domino after an authetication failure.

Temporary fix

**************************************************************** * The complete list of interim fixes, by platform, is detailed * * in the security bulletin tech note located here: * * http://www.ibm.com/support/docview.wss?uid=swg21695183 * ****************************************************************

Comments

APAR Information

APAR number

IT04249
Reported component name

TDP FOR DOMINO
Reported component ID

5698DPDAP
Reported release

71W
Status

CLOSED PER
PE

NoPE
HIPER

NoHIPER
Special Attention

NoSpecatt
Submitted date

2014-09-07
Closed date

2014-09-07
Last modified date

2015-02-12

APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:

Modules/Macros

PLUGIN

Fix information

Fixed component name

TDP FOR DOMINO
Fixed component ID

5698DPDAP

Applicable component levels

R71W PSY

UP
R71A PSY

UP
R71L PSY

UP
R63A PSY

UP
R63L PSY

UP
R63D PSY

UP
R63W PSY

UP

[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSTG2D","label":"Tivoli Storage Manager for Mail"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"71W","Edition":"","Line of Business":{"code":"LOB26","label":"Storage"}}]

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda

10 months ago

10 months ago

10 months ago

10 months ago

10 months ago